COMMAND

    Tektronix (Xerox)

SYSTEMS AFFECTED

    Tektronix (Xerox) PhaserLink Webserver

PROBLEM

    Ltlw0lf posted  following.   New Tektronix  (Xerox) printers  have
    covered  up  a  security  through  obscurity  flaw  discovered  in
    November,  1999  with  more   security  through  obscurity.    The
    unauthenticated  and  unfiltered  administrator configuration page
    on the PhaserLink webserver is now located at the URL

        http://printername/_ncl_subjects.shtml

    Furthermore, Tektronix has added the item "Userid:" to the printer
    config page, supposidly to add more granularity (or obscurity)  to
    the configuration process.  However, this may allow unfiltered and
    unauthenticated users to discover the administrators valid  userid
    and password.  And more, the printer's webserver cannot be  turned
    off using the html interface.

    On  November  16,  1999,  we  had  a  backdoor  in  the PhaserLink
    Webserver  for  Tektronix  Printers.   The  backdoor  allowed   an
    attacker   unfiltered   and   unauthenticated   access   to    the
    configuration  of  the  printer.   Many  of the Tektronix printers
    available  at  the  time  had  this  backdoor.   A few days later,
    another  bugtraq  poster  discovered  that this vulnerability also
    allowed  an  unfiltered  and  unauthenticated  user  to ultimately
    physically  deny  service  on  the  printer  by  forcing  it  into
    Emergency  Power  Off  mode,  which  meant  the printer would turn
    itself off without properly voiding the ink or crayon reservoir.

        http://oliver.efri.hr/~crv/security/bugs/Others/tronix.html
        http://oliver.efri.hr/~crv/security/bugs/Others/tronix2.html

    If the reservoir cooled, the ink or crayons would coagulate, and
    the printer would be physically damaged.

    Tektronix made things more insecure as well as using more security
    through  obscurity  to  hide  the  problem  exposed  in  the first
    vulnerability   report.   In    a   matter   of   fact,  the  last
    communications received from by Ltlw0lf them on this issue was  in
    the beginning of 2000.

    Tektronix  apparently  fixed  the  problem,  but  not  in a secure
    fashion.   Ltlw0lf  recently  had  the  opportunity  to  play with
    several new 850 printers.   The new printers appear to  have fixed
    the problem, at least in a majority of the half-dozen machines  he
    has played with.  Typing in the backdoor URL produced an Error 404
    message.  However, all of the webservers responded to the URL:

        http:/printername/_ncl_subjects.shtml

    It appears  that Tektronix  covered up  the URL  after posted  the
    vulnerability  report  by  changing  the  URL  slightly.  This was
    actually discovered during the testing of the printer.  We noticed
    that most of the  pages on the server  now end with the  extension
    .shtml.   However,  typing  in  the  filename   ncl_subjects.shtml
    also   produced   an   Error   404.    Ltlw0lf   accidently  typed
    _ncl_subjects.shtml at one point during the testing, and the  page
    popped up.   So Tektronix  has "secured"  the webpage  by adding a
    "_" and an "s".  This is litterally the first time we have  caught
    a backdoor  by dumb  luck, but  it only  took about  20 minutes of
    playing.   The first  URL was  given to  us by Tektronix Technical
    Support.  But it definately  proves that one of the  three reasons
    that security through obscurity fails because of pure dumb-luck.

    The new URL allows the same sort of access that the previous URL
    backdoor allowed.  Configuration pages themselves live at the
    URL's

        http://printername/_ncl_items.shtml&SUBJECT=*

    where  "*"  is   the  number  corresponding   to  the   particular
    configuration page.  Again, Tektronix has included the ability  to
    remotely  (and  unauthenticated)  physically  deny  service to the
    printer by setting the "Shutdown" option on the URL

        http://printername/_ncl_items.shtml&SUBJECT=1

    to "Emergency Power Off," but we have yet to find someone  willing
    to allow us to test this.  Obviously setting "Factory Default"  to
    true is a much less destructive Denial of Service as it resets the
    printer, but doesn't damage anything.

    Tektronix has  added a  whole new  (and very  bad) wrinkle  to the
    HTTP config page.  As previously discovered, the HTTP Config  page
    on 740 machines allowed  users to view the  administrator password
    without any sort of authentication or filtering.  This means  that
    any one on the  planet can access this  information and use it  to
    reconfigure other parts of the machine using the URL

        http://printername/ncl_items.html&SUBJECT=2097

    Tektronix now has both a userid and a password field available  in
    plain-text by typing the URL

        http://printername/_ncl_items.shtml&SUBJECT=2097

    This has the effect of essentially allowing an ignorant user  (and
    believe me, any user which has a printer outside of a firewall  is
    an ignorant one,) to broadcast their standard userid and  password
    to the world.  This  allows an attacker to discover  a potentially
    legitimate password on  other computer systems,  and the rest,  as
    they say, is history.

    Furthermore, Tektronix  has taken  away one  of the  two fixes  we
    proposed  in  the  last  advisory.   One  of  our  suggestions for
    network administrators  to fix  the problem  was to  use the  "On"
    switch on the

        ncl_items.html&SUBJECT=2097

    webpage to turn off the webserver on the printer, which apparently
    turned off this  backdoor quite effectively.   However, while  the
    new  printers  still  have  this  switch, the functionality of the
    switch has been broken or turned off, so this option is no  longer
    available to network administrators.  The only way to protect  the
    printer from attack is to put it behind a firewall.

    Ltlw0lf is still playing, there may be more...  This info  applies
    to 750DP, 850 and 930 printers so far.

SOLUTION

    DO not set a default  gateway for the printer's IP  configuration.
    This should limit the vulnerability to your own subnet.

    It is highly recommended to  assign private IPs to all  items such
    as printers, fancy fax machines, switches, etc...  The only reason
    to give them a public IP is conveinance.  Conveinance and security
    usually cancel each other out. It's hard to have one if you're big
    on the  other.   Assign private  IP subnets  to the  same internal
    subnets that you  used the public  IPs on, route  them internally,
    and  get  real  big  on  ingress/egress filtering of those RFC1918
    blocks.   Then  only  your  own  users  can  hurt  you.  Sure it's
    not  a  fixall  but  it's  usually  easier  to gain accountability
    locally than on the 'Net at large.

    Official response is  that the Phaser  850 launched in  Feb. 2000.
    The product development cycle for a product like this is roughly 2
    years and the  code is usually  complete many weeks  before launch
    to allow manufacturing ramp-up. So any expectation that the Phaser
    850 would incorporate the input  from Dec. '99, is not  realistic.
    That input, however, has been incorporated into future products.

    An emergency shut-down will  not cause a catastrophic  failure due
    to ink "coagulation".  In a solid ink printer, the ink is solid at
    room temperature  and liquid  only while  heated in  the printhead
    [This eliminates the colorant  (ink/toner) messes common in  other
    technologies].  Any loss of power will cause the heated ink in the
    head to cool to solid form. An emergency shut-down is no different
    than a power failure which the printer is designed to handle.